Cybercriminals based in Vietnam are believed to be behind attacks using DarkGate malware, which have targeted organizations in the UK, US and India since 2018.
WithSecure researchers tracked these attacks to an active group of cybercriminals using the information stealer Ducktail, which has been used in recent campaigns targeting Meta-business accounts.
The DarkGate and Ducktail campaigns were linked together based on non-technical indicators observed by researchers. These include lure files, themes, targeting and delivery methods. For example, the initial vector is often a LinkedIn message, which redirects the victim to a malicious file on Google Drive.
WithSecure also analyzed associated metadata, including metadata from LNK files, PDFs created using the Canva design service/tool, and MSI files created using an unlicensed version of EXEMSI.
Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, commented: “The DarkGate attacks we’ve seen have very strong identifiers that allowed us to draw connections between these attacks and others we’ve seen using different information stealers and malware, including Ducktail. Based on what we’ve observed, it’s very likely that a single actor is behind many of the campaigns we track that target Meta Business accounts.
A wide range of activities
Although the campaigns have a very similar initial infection journey, researchers recognized that the functions of the two payloads differ significantly:
- Ducktail is a dedicated information stealer, and once executed, it quickly steals credentials and session cookies from the local device and sends them back to the attacker. It also has an additional Facebook-focused feature whereby if it locates a Facebook Business account session cookie, it will attempt to add the attacker to the account as an administrator.
- DarkGate is a remote access Trojan (RAT) with information theft functionality. Unlike Ducktail, he is stealthy and tries to persist. It is also used for various purposes including deploying Cobalt strike and ransomware. DarkGate also appears to be used by several independent actors. However, “the DarkGate behavior that most closely resembles and overlaps with the Ducktail campaigns is likely the same group of Vietnamese threat actors.”
Researchers also linked Lobshot and Redline Stealer malware to the same Vietnam-based threat actors.
Robinson highlighted how the growth of the cybercrime-as-a-service (CaaS) industry has made it more difficult to identify the groups behind specific campaigns.
“DarkGate has been around for a long time and is used by many groups for different purposes, not just this group or cluster in Vietnam. The flip side is that actors may use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis,” he noted.